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This paper presents a case study of formalizing a normalization proof for Leivant’s Predicative Sys¬ 
tem F [6] using the EQUATIONS package. Leivant’s Predicative System F is a stratified version of 
System F, where type quantification is annotated with kinds representing universe levels. A weaker 
variant of this system was studied by Stump & Eades [5, 3], employing the hereditary substitution 
method to show normalization. We improve on this result by showing normalization for Leivant’s 
original system using hereditary substitutions and a novel multiset ordering on types. Our develop¬ 
ment is done in the Coq proof assistant using the EQUATIONS package, which provides an inter¬ 
face to define dependently-typed programs with well-founded recursion and full dependent pattern¬ 
matching. Equations allows us to define explicitly the hereditary substitution function, clarifying 
its algorithmic behavior in presence of term and type substitutions. From this definition, consistency 
can easily be derived. The algorithmic nature of our development is crucial to reflect languages with 
type quantification, enlarging the class of languages on which reflection methods can be used in the 
proof assistant. 

1 Introduction 

EQUATIONS [10] is a toolbox built as a plugin on top of the COQ proof assistant for writing dependently- 
typed programs in COQ. Given a high-level specification of a function, using dependent pattern-matching 
and complex recursion schemes, its puipose is to compile it to pure COQ terms. This compilation scheme 
builds on the work of Goguen et al [4], which explains dependent pattern-matching [2] in terms of ma¬ 
nipulations of propositional equalities. In essence, dependent pattern-matching is compiled away using 
a reduction-preserving encoding with eliminators for the equality type between datatypes. In addition to 
this compilation scheme, EQUATIONS also automatically derives the resulting equations as propositional 
equalities, abstracting entirely from the encoding of pattern-matching found in the actual compiled def¬ 
inition, and an elimination scheme corresponding to the graph of the function. This elimination scheme 
can then be used to simplify proofs that directly follow the case-analysis and recursion behavior of the 
function without repeating it. EQUATIONS supports definitions using arbitrarily complex well-founded 
recursion schemes, including the nested kind of recursion found in hereditary substitution functions, and 
the generation of unfolding lemmas and elimination schemes for those as well. Additionally, EQUA¬ 
TIONS plays well with the Program extension of COQ to manipulate subset types (also known as refine¬ 
ment types). 

The purpose of this paper is to present a case study of using EQUATIONS to show the normalization 
of Predicative System F, in an algorithmic way such that the normalization function can actually be run 
inside the proof assistant. 

Predicative System F was introduced by Leivant [6] to study the logical strength of different exten¬ 
sions of arithmetic. Using kinds to represent levels of allowed predicative quantification, he can show 
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that super-elementary functions can be represented in this system. He employs a Tait-Girard logical 
relation proof to argue normalization. 

Stump and Eades [5] took the system and studied a normalization proof using hereditary substitution. 
However, they needed to define a variant of the system where the kinding rule of universal quantifications 
is more restrictive, which makes level n + 1 not closed by quantifications over types in level n. They 
claim that the same derivations can be done in their system but give no proof of such fact. We remedy 
this situation by giving a simple normalization proof still based on hereditary substitution using a novel 
ordering on types based on multisets of kinds. 

The hereditary substitution function ends up being defined as one would do in e.g. ML, but com¬ 
bining Program and EQUATIONS, it can be shown to inhabit a richer type, providing a proof that the 
function indeed computes normal forms given inputs in normal form. The pre and postconditions of the 
hereditary subsitution function, which will be explicited later, are actually necessary to justify the termi¬ 
nation of this function. From this it is easy to derive normalization and show that the system is consistent 
(relatively to Coq’s theory, with the K axiom currently, although we hope to have an axiom-free version 
working by the time of the workshop). 

The paper is organized as follows: in §2 we present a gentle introduction to the EQUATIONS pack¬ 
age and its features and quickly explain the main differences with the original presentation from [10]. 
Then we summarize the standard definitions and metatheoretical results on Predicative System F that we 
proved and highlight the main differences with the presentation of [5], We provide the COQ develop¬ 
ment of our proof supplemented with some commentary to help follow along. First in §3 we present the 
language definition, with its typing and reduction rules. Then we show in §4 some metatheoretical prop¬ 
erties on this language, such as substitution lemmas and regularity. Section 5 is dedicated to showing 
strong normalization of the calculus, which includes defining a well-founded ordering to justify the ter¬ 
mination of the hereditary substitution function, and its definition itself using the EQUATIONS package. 
We also provide as an appendix the code which is produced from this definition by COQ’s extraction 
mechanism. Finally, we compare with related work and conclude in §6. 

2 Equations 

EQUATIONS allows one to write recursive functions by specifying a list of clauses with a pattern on the 
left and a term on the right, a la Agda [9] and Epigram [8]. Here is an example recursive definition on 
lists, where wildcards corresponds to arbitrary fresh variables in patterns: 

Equations length {A} (/ : list A) : nat := 

length _ [] =>■ 0; 

length _ (cons _ t) =>■ S (length t). 

The package starts by building a splitting tree for the definition and then compiles it to a pure COQ 
term. From the splitting tree, it also derives the equations as propositional equalities, which can be more 
robust to use than reduction when writing proofs about the constant, although in this particular case the 
compiled definition is the same as the one from the standard library. Here we have two leaves in the 
computation tree hence two equations: 

Check length_equation_l : VA : Type, length [] =0. 

Check length_equation_2 : V (A : Type) (a : A) (l : list A) , length (cons a 1) = S (length Z). 

These two equations are automatically added to a rewrite hint database named length and can be used 
during proofs using the simp length tactic. In addition, an elimination principle for length is derived. Note 
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that length_comp is just a definition of the return type of length in terms of its arguments, i.e. it is A A /, 
nat here: 

Check length_elim : VP : V (A : Type) (/ : list A) , length_comp l — » Prop, 

(V A : Type, P A [] 0) — > 

(V (A : Type) ( a : A) (/ : list A) , P A l (length /) — > P A (cons a l) (S (length /))) — > 

V (A : Type) (/ : list A) , PA / (length /). 

This elimination principle can be used in proofs to eliminate calls to length and refine at the same 
time the arguments and results of the call in the goal. For example, to prove the following lemma, one 
can apply the functional elimination principle using th efunelim tactic to eliminate the length / call: 

Lemma length_rev {A} (/ : list A) : length (rev T) = length 1. 

Proof. 

funelim (length /). 

We get two subgoals, easily solved by simplification and arithmetic. 

A : Type 


length (rev []) = 0 

A : Type 
a : A 
/ : list A 

// : length (rev l) = length / 


length (rev (cons a /)) = S (length /) 

- simp length. 

- simpl; rewrite length_app, H\ simp length', omega. 

Qed. 

2.1 Dependent Pattern-Matching 

EQUATIONS handles not only simple pattern-matching on inductive types, but also dependent pattern¬ 
matching on inductive families. With respect to the standard COQ match construct, it eases the definition 
of complex pattern-matchings by compiling in the proof term all the inversion and unification steps that 
must be witnessed. Here is an example with the le relation on natural numbers. 

Inductive le : nat — >• nat — > Set := 

| Iz : V {«}, 0 < n 

| Is : V {m n}, m <n —>• (S m ) < (S n ) where ”m < n” := (le m n). 

Proving antisymmetry of this relation requires only two cases, because pattern matching on the first 
argument determines the endpoints of the second argument: 

Equations antisym {m n : nat} ( x : m <n) (y : n < m) : m = n := 
antisym _ _ x y by rec x =>• 
antisym _ _ Iz Iz =>■ eq_refl; 
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antisym _ _ (Is x) (Is y) => f_equal S (antisym * y). 

More precisely, in the x = Iz case, it is possible during the translation to deduce that m must be 
0, which implies that y cannot be some application of Is. These deductions are done automatically by 
EQUATIONS, which allows to reduce this proof to its simplest form. Writing it explicitely in pure COQ 
would be actually annoying and require explicit mention of impossible cases and surgical rewritings with 
equalities. 

2.2 Recursion 

Note that we use a clause by rec x => here in addition to the pattern-matching. This is a different kind of 
right-hand-side, that allows to specify the recursion scheme of the function. We are using well-founded 
recursion on the m < n hypothesis here. The implicit ordering used is actually automatically derived 
using a Derive Subterm f or le command, and corresponds to the transitive closure of the direct subterm 
relation, i.e. the deep structural recursion ordering. 

The compiled definition cannot be checked using the built-in structural guardness check of COQ, 
because the equality manipulations appearing in the term go outside of the subset of recursion schemes 
recognized by it. It would have to handle commutative cuts and specific constructs on the equality type. 
Also, the syntactic check can be very slow on medium-sized terms. 

The solution here, using the logic to justify the recursive calls, means that we are freed from any 
syntactic restriction, and any logical justification for termination is allowed. At each recursive call, we 
must simply provide a proof that the given argument is strictly smaller than the initial one in the subterm 
relation. An automatic proof search using the constructors of the subterm relation for le solves these 
subgoals for us here, otherwise they are given as obligations for the user to prove. 

As in the case of length, we provide equations and an elimination principle for the definition. In case 
well-founded recursion is used, we first prove an unfolding lemma for the definition which allows us to 
remove any reasoning on the termination conditions after the definition. The equations are as expected: 

Check antisym_equation_ 1 : antisym Iz Iz = eq_refl. 

Check antisym_equation_2 : V (nl mO : nat) (/: nl < mO) (10 : mO <nl ), 
antisym (Is /) (Is 10) = f_equal S (antisym / 10). 

And the elimination principle, with the correct inductive hypothesis in the recursive case: 

Check antisym_elim : V P : V (m n : nat) (x : m < n) (y : n < m) , antisym_comp x y — >• Prop, 

P 0 0 Iz Iz eq_refl 

—> (V (nl mO : nat) (/: nl < mO) (10 : mO < nl) , P nl mO 110 (antisym 110) —y 
P (S nl) (S mO) (Is 1) (Is 10) (f_equal S (antisym 110))) —y 
V (m n : nat) (x : m < n) (y : n < m) , P mnxy (antisym x y). 

The last feature of EQUATIONS necessary to write real definitions is the with construct. This con¬ 
struct allows to do pattern-matching on intermediary results in a definition. A typical example is the filter 
function on lists, which selects all elements of the original list respecting some boolean predicate: 

Context {A} (p : A —y bool). 

Equations filter (1 : list A) : list A := 
filter [] := [] ; 

filter (cons a I) <t= p a =>■ { | true := cons a (filter 1) ; | false := filter 1 }. 

The right-hand side adds a new pattern to the left-hand side of its subprogram, for an 

object of type bool here. The subprogram is actually defined as another proxy constant, which takes as 
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arguments the variables a, p and a new variable of type bool. The clauses of the subprogram can shortcut 
the filter (cons a I) part of the pattern which is automatically inferred from the enclosing left-hand side. 

The generated equations for such definitions go through the proxy constant, hence we have two 
equations for filter and two for filter Jielper_l , which is the name of the proxy constant. To generate 
the elimination principle, a mutually inductive graph is generated, and the predicate applying to the 
subprogram is defined in terms of the original one, adding an equality between the new variable and the 
exact term it is applied to in the enclosing program. This way, we cannot forget during proofs that the 
true or false cases are actually results of a call to p a. Note that there are three leaves in the original 
program (and splitting tree) hence three cases to consider here. 

Check *filter_elim : V (A : Type) (p : A — > bool) (P : list A — > list A — > Prop) 

( PO:=X ( a : A) (refine : bool) (/ H : list A) , p a = refine — > P (cons a 1) H) , 

P [] [] — > (V ( a : A) (l : list A) , P l (filter p l) — >■ PO a true l (cons a (filter p /))) — > 

(V ( a : A) (1 : list A) , P l (filter p 1) -*• PO a false / (filter p /)) — > 

V / : list A, P1 (filter p l). 

In general, the term used as a new discriminee is abstracted from the context and return type at 
this point of the program before checking the subprogram. In that case the eliminator predicate for the 
subprogram has a dependent binding for the t = refine hypothesis that is used to rewrite in the type of 
hypotheses and results. This is examplified in the following classical example: 

Inductive incl {A} : list A — )• list A — > Prop := 
stop : incl nil nil 

| keep {x : A} {r^ys : list A} : incl xsys — » incl (consxxsj (const ys) 

| skip {x : A} {xsys : list A} : incl xsys —)• incl (xs) (cons r ys). 

We define list inclusion inductively and show that filtering out some elements from a list xs results 
in a included list. 

Equations(nocomp) sublist {A} {p : A — > bool) (xs : list A) : incl (filter p xs) xs := 

sublist A p nil := stop ; 

sublist A p (cons x xs) with p x := { 

| true := keep (sublist p xs) ; | false := skip (sublist p xs)}. 

Here at the with node, the return type is incl (if p x then cons r (filter p xs) else filter p xs) (cons 
x xs). We abstract p x from the return type and check the new subprogram in context A P x xs (ref ine : 
bool) with return type: incl (if refine then cons x (filter p) xs else filter p xs) (cons x xs). 

Each of the patterns instantiates refine to a constructor, so the return type reduces to the two ex¬ 
pected cases matching with conclusions of the incl relation. The (nocomp) option indicates that we do 
not want the return type to be defined using a _comp constant. Indeed, the term keep (sublist p xs) would 
not be well-typed, as it is expected to have type sublist-comp p (x :: xs) which is incl (filter p (x :: xs)) (x 

:: xs), but has type incl (x :: filter p xs) (x :: xs). This is just a technical limitation we hope to remove in 

the future. 

Check *sublist_elim : V (P : V (A : Type) (p : A — »• bool) (rs : list A) , incl (filter p xs) xs — > Prop) 
(P0:= A (A : Type) (p : A — >• bool) (a : A) (refine : bool) (1 : list A) 

(H : incl (filter_obligation_2 (filter p) a refine l) (cons a /)) , 

V Heq : p a = refine , P A p (cons a l) 

(eq_rect_r (A r : bool , incl (filter_obligation_2 (filter p) a r 1) (cons a /)) H Heq)) , 

(V (A : Type) (p : A — > bool) , P A p [] stop) — > 

(V (A : Type) (p : A — > bool) (a : A) (l : list A) , 
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P A p l (sublist p l) -A PO A p a true l (keep (sublist p /))) — » 

(V ( A : Type) (p : A — » bool) ( a : A) (/ : list A ) , 

P A p I (sublist p 1) -A PO A p a false 1 (skip (sublist p /))) -A 
V (A : Type) (p : A -A bool) (xs : list A) , P A p xs (sublist p xs). 

The resulting elimination principle, while maybe not so useful in that case as this program constructs 
a proof, shows the explicit rewriting needed in the definition of the subpredicate PO. 

This concludes our exposition of EQUATIONS and we now turn to the formalization of Predicative 
System F. 

3 Typing and reduction 

3.1 Definition of terms 

Recall that Predicative System F is a typed lambda calculus with type abstractions and applications. Our 
type structure is very simple here, with just the function space and universal quantification on kinded type 
variables. We use an absolutely standard de Bruijn encoding for type and term variables. The kinds (a.k.a 
universe levels) are represented using natural numbers. Our development is based on Jerome Vouillon’s 
solution to the POPFmark challenge for System F sub [11]. 

Definition kind := nat. 

Inductive typ : Set := 

| tvar : nat -A typ | arrow : typ — > typ — > typ | all : kind — » typ — > typ. 

We will write V X :* k. T for the quantification over types of kind k. 

Inductive term : Set := 

| var : nat -A term 
| abs : typ -A term —> term 
| app : term -a term —> term 
| tabs : kind — > term — » term 
| tapp : term — > typ — > term. 

Our raw terms are simply the abstract syntax trees. 

3.2 Shiftings and substitutions 

We define the different operations of shifting and substitutions with the EQUATIONS package, we only 
show the substitution function here which uses a with right-hand side. All the development can be 
downloaded or browsed at http: //equations-fpred.gf orge . inria.fr. 

Check shift_typ : V (X : nat) ( t : term) , term. 

Check tsubst : typ — > nat — > typ — » typ. 

Equations subst ( t : term) ( x : nat) ( t’ : term) : term := 

subst (var y )xt’<= lt_eq_lt_dec y x => { 

| inleft (left _) => var y; 

| inleft (right _) => t’\ 

| inright _ =>■ var (y - 1) }; 

subst (abs T112) x t’ =A abs T1 (subst t2 (1 + x) (shift 0 t’))\ 
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subst (app tl t2) app (subst tl x t’) (subst t2 x t’)\ 

subst (tabs k t2) xt’ =$- tabs k (subst t2 x (shift_typ 0 t’))\ 
subst (tapp tl T2) x t’ =>- tapp (subst tl x t’) T2. 

Check subst_typ : term — >• nat — > typ — > term. 


3.3 Contexts 

We define the contexts env and the two functions get_kind and get_var which access the context. A 
context is an interleaving of types and terms contexts. Vouillon’s great idea is to have parallel de Bruijn 
indexings for type and term variables, which means separate indices for type and term variables. That 
way, shifting and substitution of one kind does not influence the other, making weakening and substitu¬ 
tion lemmas much simpler, we follow this idea here. 

Inductive env : Set := 

| empty : env | evar : env — >• typ — >• env | etvar : env — > kind — >• env. 

Note that EQUATIONS allows wildcards and overlapping clauses with a first match semantics, as 
usual. 

Equations {nocomp) get_kind (e : env) (X : nat) : option kind := 

get_kind empty _ =>■ None; 

get_kind (evar e _) X => get_kind e X; 

get_kind (etvar _ T) 0 => Some T ; 

get_kind (etvar e _) (S X) =>■ get_kind e X. 

We need the functorial map on option types to ease writing these partial lookup functions. 

Equations opt_map ( A B : Set) (f : A — > B) (x : option A ) : option B := 
opt_map _ _/ (Some x) => Some if x)\ 
opt_map _ None =$■ None. 

Equations(nocom/?) get_var ( e : env) (x : nat) : option typ := 
get_var empty _ None; 

get_var (etvar e _) x => opt_map (tshift 0) (get_var e x); 
get_var (evar _ T) 0 => Some T ; 
get_var (evar e _) (S x) =>■ get_var e x. 


3.4 Well-formedness conditions 

We also define some well-formedness conditions for types, terms and contexts. Namely, in a type (resp. 
in a term), the variables must all be kinded (resp. typed). We just show the wf_typ definition here, those 
follow Stump and Haye’s work. 

Equations wf_typ (e : env) (T : typ) : Prop := 
wf_typ e (tvar X) =>- get_kind eX / None; 
wf_typ e (arrow Tl T2) =$■ wf_typ e Tl A wf_typ e T2; 
wf_typ e (all k T2) wf_typ (etvar e k) T2. 
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3.5 Kinding and typing rules 

The kinding rules are the main difference between Leivant’s and Stump’s presentations. We refer to these 
works for pen and paper presentations of these systems, due to lack of space, we cannot include them 
here. The case for universal quantification sets the level of a universal type at 1 + max k k’, where k and 
k’ are respectively the domain and codomain kinds, in Stump’s case, which allows for a straightforward 
order on types based on levels, but this means that each level is not closed under products from lower 
levels anymore. In other words, multiple quantifications at the same level raise the overall level. For 
example (V X :* 0. X ) :* 1 as expected but V X :* 0. V Y :* 0. X :* (1 + max 0(1+ max 0 0)) = 2. This is 
a very strange behavior. 

We use the standard predicative product rule which sets the product level to max (7+1) k\ which di¬ 
rectly corresponds to Martin-Lof’s Predicative Type Theory. Note that the system includes cumulativity 
through the Var rule which allows to lift a type variable declared at level k into any higher level k’ . 

Inductive kinding : env — » typ — > kind — > Prop := 

| T_TVar : V {e : env) ( X : nat) ( k k’ : kind), wf_env e -+ 
get_kind e X = Some k — > k <t= k’ -+ kinding e (tvar X) k’ 

| T_Arrow : V e T JJ kk\ kinding e T k -+ kinding e U k’ —> kinding e (arrow T U) (max k k’) 

| T_AII : V e T k k’, kinding (etvar e k) T k’ -+ kinding e (all k T ) (max (7+1) k’). 

The typing relation is straightforward. Just note that we check for well-formedness of environments 
at the variable case, so typing derivations are always well-formed. 

Inductive typing : env — > term — >• typ — > Prop := 

| T_Var (e : env) {x : nat) (T : typ) : wf_env e -+ get_var e x = Some T —> typing e (var x) T 
| T_Abs {e : env) (t : term) ( T1 T2 : typ) : 

typing (evar e Tl) t T2 -+ typing e (abs T1 t) (arrow T1 T2 ) 

| T_App ( e : env) {tl t2 : term) {Til T12 : typ) : 

typing e tl (arrow Til T12) -+ typing e t2 Til -+ typing e (app tl t2) T12 
| T_Tabs {e : env) {t : term) {k : kind) {T : typ) : 

typing (etvar e k) t T -+ typing e (tabs k t) (all k T) 

| T_Tapp {e : env) {t : term) k {Tl T2 : typ) : 

typing e t (all k Tl) -+ kinding e T2 k -+ typing e (tapp t T2) (tsubst 77 0 72). 

3.6 Reduction rules 

To define normalization we must formalize the reduction relation of the calculus. Beta-redexes for this 
calculus arc the application of an abstraction to a term and the application of a type abstraction to a type. 

Inductive red : term -+ term — > Prop := 

| E_AppAbs (T : typ) {tl t2 : term) : red (app (abs T tl) t2) (subst tl 0 t2) 

| E_TappTabs k (T : typ) {t : term) : red (tapp (tabs k t) T) (subst_typ 1 0 T). 

We define the transitive closure of reduction on terms by closing red by context. 

Inductive sred : term — > term — >• Prop := 

| Red_sred 11’ : red 11’ —> sred 11’ 

| sred_trans tl t2 t3 : sred tl t2 —> sred t2 t3 —> sred tl t3 
| Par_app Jeft tl tl’ t2 : sred tl tl’ sred (app tl t2) (app tl ’ t2) 

| Par_app_right tl t2 t2’ : sred t2 t2’ —> sred (app tl t2) (app tl t2’) 

| Par_abs T 11’ : sred 11’ —>• sred (abs T t) (abs T t’) 
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| Par_tapp 11’ T : sred 11’ sred (tapp t T) (tapp t’ T) 

| Par_tabs k 11’ : sred 11’ sred (tabs k f) (tabs k t’). 

Definition reds ? « := clos_refl sred t n. 

We can prove usual congruence lemmas on reds showing that it indeed formalizes parallel reduc¬ 
tion. 

4 Metatheory 

The metatheory of the system is pretty straightforward and follows the one of F sub closely. We only 
mention the main idea for type substitution and the statements of the main metatheoretical lemmas. 

To formalize type substitution, we use a proposition env_subst that corresponds to the environment 
operation: E, X :* k, E’ =4> E, (X H » T’) E’ assuming E P T’ :* k. In other words, env_subst X T e e’ 
holds whenever we can find environments E, E’ and a kind k such that E P T :* k and e = E, X :* k, E’ 
and e’ = E, (X 7”) E’. 

Inductive env_subst : nat —> typ — >• env — > env — >• Prop := 

| es_here ( e : env) (T : typ) ( k : kind) : kinding e T k — »• env_subst 0 T (etvar ek) e 
| es_var (X : nat) (T T : typ) {e e’ : env) : 

env_subst X T’ e e’ — > env_subst X T’ (evar e T ) (evar e’ (tsubst T X T’)) 

| es_kind (X : nat) k (7” : typ) ( e e’ : env) : 

env_subst XTTc’-t env_subst (1 + X) (tshift 0 T’) (etvar e k) (etvar e’ k). 

4.1 Typing and well-formedness 

Actually, both kinding and typing imply well-formedness. In other words, it is possible to kind a type T 
in an environment e only if both the type and the environment are well-formed. 

Lemma kinding_wf ( e : env) ( T : typ) {k : kind) : kinding e T k — »• wf_env e A wf_typ e T. 

4.2 Weakening 

We only show the main weakening lemma for typing: if e’ results from e by inserting a type variable at 
position X with any kind, the term and types of a typing derivation can be shifted accordingly to give a 
new typing derivation in the extended environment. 

Lemma typing_weakening_kind_ind (e e’ : env) (X : nat) ( t : term) ( U : typ) : 
insert_kind Xee’-> typing e t U —> typing e’ (shift_typX t) (tshift X U). 

Weakening by a term variable preserves typing as well. 

Lemma typing_weakening_var (e : env) (t : term) ( U V : typ) : 
wf_typ e V -A typing e t U -A typing (evar e V) (shift 0 t) U. 

4.3 Narrowing 

As the system includes a kind of subtyping relation due to level cumulativity, we can prove a narrowing 
property for derivations. Again we define a judgment formalizing that a context e’ is a narrowing of a 
context e if they arc identical but for one type variable binding (T : k’) in e’ and (T : k) in e with k’ <k. 
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Inductive narrow : nat — > env — »• env — >• Set := 

narrow_0 ( e : env) ( k k’ : kind) : k’ < k narrow 0 (etvar e k) (etvar e k’) 

| narrow_extend_kind (e e’ : env) ( k : kind) ( X : nat) : 

narrow Xee’-y narrow (1 + X ) (etvar e k) (etvar e’ k) 

| narrow_extend_var ( e e’ : env) (T : typ) ( X : nat) : 

wf_typ e’ T — > narrow X e e’ narrow X (evar e T ) (evar e’ T). 

Before we can show narrowing, we have to show that kinding respects cumulativity: If it is provable 
that a type T has kind k in the context e, then we can also prove that it has any kind k’ for k < k’ . 

Lemma kinding-transitive e T k k’ : kinding eTk^k<k’-± kinding e T k’. 

Narrowing is a strong property, in the sense that a type T can have in a narrowing of a context e any 
kind that it can have in e itself. 

Lemma typing .narrowing _ind (e e’ : env) (X : nat) (t : term) ( U : typ) : narrow X e e’ — > typing e t U 
— > typing e’t U. 

4.4 Substitution 

Now, substitution lemmas can be proven for the various substitution functions. 

Lemma subst_preserves_typing ( e : env) (x : nat) (t u : term) ( V W : typ) : 

typing e t V — > typing (remove.var e x) u W — >• get.var ex = Some W — > typing (remove.var e x) 
(subst t x u ) V. 

Lemma subst.typ .preserves .typing (e : env) (t : term) (U P : typ) k : 

typing (etvar e k)t U —> kinding e P k — >• typing e (subst.typ t 0 P) (tsubst U 0 P). 

Finally, we prove regularity, which is to say that the type of any well-typed term is kinded. This is 
a consequence of the fact that any well-formed type is kindable. All these results correspond directly to 
the paper proofs of Stump and Hayes. 

Theorem regularity (e : env) (t : term) ( U : typ) : typing e t U — ^ 3 k : kind, kinding e U k. 


5 Normalization 


To show that hereditary substitution is well-defined, we must provide an order of termination. In our 
case, we will have a lexicographic combination of a multiset ordering on kinds. To formalize this, we 
reuse CoLoR’s [ ] library of multisets and definition of the multiset order. Those are multisets on ordered 
types, here natural numbers with the usual ordering, which is well-founded. 

Notation ”X < m Y” := (MultisetLt gt X Y ) (at level 70). 

Definition wf.multiset.order : well-founded (MultisetLt gt). 

The kinds.of function computes the multiset of kinds appearing in a type, which reduces to the 
bounds of universal quantifications. 

Equations kinds.of {t : typ) : Multiset := 

kinds.of (tvar _) empty; kinds.of (arrow TU)4 union (kinds.of T) (kinds.of U)\ 

kinds.of (all kT)=t union {k} (kinds.of T). 
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Clearly, the singleton multiset built from any valid kind for T bounds the bag of kinds appearing in 
T, according to the kinding rules. This is proved by induction on the kinding derivation: 

Lemma kinds_of_kinded e T k : kinding e T k — >■ kinds_of T <mul { k }. 

Kinds in a type are invariant by shifting or lifting. This is a simple example of a proof by functional 
elimination. The T argument and result of kinds_of T get refined and we just need to simplify the right 
hand sides according to the definitions of kinds_of and tshift, using rewriting not computation, and finish 
by rewriting with the induction hypotheses. 

Lemma kinds_of_tshift X T : kinds_of (tshift X T) = kinds_of T. 

Proof. 

funelim (kinds_of T)\ simp kinds-of tshift', now rewrite H, ‘-.HO. 

Qed. 

For type substitution of T in U however, an exact arithmetic relation holds. We know that the multiset 
of kinds of the substituted type can appear a finite number of times in the resulting type, along with the 
original kinds of U. 

Lemma kinds_of_tsubst e e’ X T U k : env_subst X T e e’ — >• kinding eU k — » 

3 n : nat, kinds_of (tsubst U XT) =mul= kinds_of U + mul_sum n (kinds_of T). 

This allows us to derive a general result about kindings of universal types: any well-kinded instance 
substitution produces a type with a strictly smaller bag of kinds. This is the central result needed to show 
termination. In Stump’s work, the measure considered was solely the depth of types, and only through 
the stricter kinding invariant could the order be shown well-founded. 

Lemma kinds_of_tsubst_all e U k k’ T : kinding e (all k U) k’ -t 
kinding e T k — > kinds_of (tsubst U 0 T) <mul kinds_of (all k U). 

5.1 Definition of the measure. 

We first define the depth of a type as being the number of universal quantifications and type variables in 
that type. 

Equations depth {t : typ) : nat := 

depth (tvar _) =>• 1; depth (arrow T U) (depth T + depth U)%nat\ 

depth (all k U) => S (depth U). 

Of course, it cannot be zero, which is useful since it allows to have depth T < depth (arrow T U), 
which will be needed to prove the well-foundedness of the hereditary substitution. 

Lemma depth _nz t : 0 < depth t. 

The order that we will use on types is a lexicographical order on the multiset of kinds and the depth. 
As the first part of the lexicographic product is a multiset, and as those should not be compared with the 
Leibniz equality but rather a specific setoid equality, we defined a generalized notion of lexicographic 
product up-to an equivalence relation on the first component, here meq which represents multiset equal¬ 
ity. 

Definition relmd : relation (Multiset x nat) := lexprod (MultisetLt gt) meq It. 

It is well-founded, relying ultimately on the well-foundedness of It. 

Definition wf_relmd : well-founded relmd. 
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The actual order is relmd on the kinds_of and depth measures on types. 

Definition order (x y : typ) := relmd (kinds_ofx, depth*) (kinds_ofy, depth y). 

Definition wf_order : well-founded order. 

It is well-founded and clearly transitive. Lemma order_trans t uv \ order t u -A order u v -A order 
tv. 

As we expected, we can compare a type with an arrow on that type, on the left and on the right. 

Lemma order_arrow_l : V A B, order A (arrow A B). 

Lemma order_arrow_r : VA6, order B (arrow A B). 

We also define the reflexive closure of this order. It will be useful to express the postcondition of the 
hereditary substitution function, as we will explain below. 

Definition ordtyp := clos_refl order. 

Finally, we define the size of a term as usual. 

Equations {nocomp) term_size {t : term) : nat := 

term_size (var _) => 0; term_size (abs T t) =$■ S (term_size ?); 

term_size (app t u) =>- S (term_size t + term_size n); 

term_size (tabs k t) =£• S (term_size t); term_size (tapp t U) => S (term_size t). 

Definition wf_term_size : well-founded (MR term_size It) := wf_ inverse-image It term_size lt_wf. 

The hereditary substitution order is a lexicographic combination of the order on the multisets of kinds 
in the substituted term’s type, the number of universal quantifiers and type variables in the substituted 
term’s type, and the term size of the substituend. In other words, with U the type of the substituted term 
and t the substituend, we first compare the multiset of kinds in U, then the depth of U, and ultimately the 
size of t. 

Definition her_order : relation (typ x term) := 

lexprod order (fun * y =>- kinds_of * = kinds_of y A depth x = depth v) (MR term_size It). 

Instance WF_her_order : Wei I Founded her .order. 


5.2 The model 

We now turn to the interpretation proper. We characterize the normal forms as a subset of the terms using 
mutually-inductive normal and neutral judgments. The plan is to show that the hereditary substitution 
function, when given two terms in normal form will produce terms in normal form. We can already 
expect some complications as normal terms also include neutral ones... 

Inductive normal : term — > Prop := 

| normaLabs T t : normal t -A normal (abs T t) 

| normal-tabs k t : normal t — > normal (tabs k t) 

| normaLneutral r : neutral r -A normal r 
with neutral : term -A Prop := 

| neutraLvar i : neutral (var i) 

| neutraLapp t n : neutral t -A normal n -A neutral (app t n) 

| neutraLtapp t T : neutral t -A neutral (tapp t T). 
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A term t is said to be a canonical inhabitant of a type T in environment e if e P t : T and t is in normal 
form. Our goal will be to show that every typeable term can be normalized to a canonical one. 

Definition canonical e t T := typing e t T A normal t. 

We define a relation expressing that n is the interpretation of some arbitrary term t of type T and in 
environment e. Definition interp e t T n := reds t n A canonical e n T. 

5.3 Hereditary substitution 

As we said, hereditary substitution takes two terms t and u in normal form and returns a term which is 
the result of substituting u in t at some index. From a purely algorithmic point of view, we only need t, u 
and the index X to compute the result of this function. Flowever, we need more to prove its correctness. 

First of all, the well-founded order that we use to justify its termination is an order on the type of the 
substituted and on the substituend, which is why the function hsubst also takes as an argument the type 
of the substituted term. 

We then need a typing environment for t and u, which is not useful from a computational point of 
view but will serve to prove the termination and the correctness of hsubst. To this effect, we will decorate 
the function with a precondition and a postcondition. We define those in the universe of propositions to 
underline the fact that they are not useful in a computational way. 

Definition pre ( t : typ x term) ( u : term) {X : nat) {p : env x typ) : Prop := 

(get_var (fst p) X = Some (fst t) A canonical (fst p) (snd t) (snd p) 

A canonical (remove_var (fst p) X) u (fst t)). 

There is one subtle point in the formulation of the postcondition. When we substitute in an applica¬ 
tion app tl t2, it may be that the result of substituting in tl is an abstraction abs T t. If that’s the case, to 
preserve the invariant that the result of hsubst is in normal form, we have to call again hsubst to perform 
the beta-reduction. However to do this, we need to know that the type of tl is smaller than the type of 
the substituted term. Note that we need to add a side-condition to this property, which is not always true: 
if the substituted variable did not appear at all, then there is no reason to have any relation between those 
types. There is a relation only if the original term was not an abstraction but the substituted term is. 

Equations is_abs (f : term) : Prop := 

is_abs (abs _ _) => True; is_abs (tabs _ _) => True; is_abs _ => False. 

Definition post {t : typ x term) (u : term) ( X : nat) (r : term) {p : env x typ) : Prop := 
interp (remove_var (fst p) X) (subst (snd t) X u ) (snd p) r A 
(-1 is_abs (snd t) — > is_abs r — > ordtyp (snd p) (fst t )). 

The Program mode proposed by COQ interacts nicely with EQUATIONS, in that it allows us to just 
return a term, and provide later the postcondition, thanks to subtyping of subset types. In the same way, 
we can treat a value returned by a call as if it was just the term. We use a standard encoding for the ghost 
p : env x typ variable. The (noind) option disables the generation of the graph and elimination principle 
for the function, its type and computational behavior is all we need here. 

EquationsQro/nd) hsubst {t : typ x term) (u : term) ( X : nat) (P :3 (p : env x typ) , pre t uX p) : 
{r : term | V (p : env x typ), pre tuXp — > post t u X r p} := 

hsubst tuXP by rec t her_order => 

hsubst (pair Ut ) uX P ■$= t => { 
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| var i 4= lt_eq_lt_dec / X =>■ { 

| inleft (right p) =>■ u\ | inleft (left p) =>■ var i\ 

| inright p =>■ var (pred i) }; 

| abs T t abs T (hsubst (U, t) (shift 0 u) (S X) _) ; 

| tabs k t =>- tabs k (hsubst (tshift 0 U , t) (shift_typ 0 u) X _) ; 

| tapp t T 4 = hsubst {U , t ) uX _ => { 

| exist (tabs k t’) P => subst_typ t’ 0 T\ 

| exist r P =>- tapp r T }; 

| app tl t2 4 = hsubst (U, t2) u X _ =>- { 

| exist r2 P2 4 = hsubst (U, tl ) uX_=>{ 

| exist (abs T't') PI =>■ hsubst (7” , t’) r2 0 
| exist rl PI => app rl r2 } } }. 

With hsubst defined, it is now easy to implement a normalize function which takes a term and re¬ 
turns its normal form. As for hsubst, we add a precondition and a postcondition which allow to show 
correctness by construction. 

Definition pre’ ( t : term) (p : env x typ) : Prop := 
typing (fst p) t (snd p). 

Definition post’ ( t : term) (n : term) (p : env x typ) : Prop := 
interp (fst p) t (snd p) n. 

Equations(/io//ir/) normalize (t : term) (P :3 (p : env x typ) , pre’ t p) : 

{n : term | V {p : env x typ), pre’ t p — >• post’ t n p} := 
normalize (var i) P => var i; 
normalize (abs Tl t) P abs Tl (normalize t _) ; 
normalize (app tl t2) P <= normalize t2 _ ^ { 

| exist t2' P2' <t= normalize tl _ =$■ { 

| exist (abs T t) PI’ hsubst (T, t) t2’ 0 _ ; 

| exist tl’ PI' app tl ’ t2’ } }; 
normalize (ta bs k t) P => ta bs k (normalize t _) ; 
normalize (tapp t T) P <^= normalize t _ =$■ { 

| exist (tabs k t') P' =>- subst_typ TOT; 

| exist t’ P’ => tapp t’ T }. 

The existence of the normalize function is in itself a proof of the strong normalization of Leivant’s 
Predicative System F. 

Theorem normalization e t T : typing e t T — > 3 n , reds t n A typing e nT A normal n. 

5.4 Consistency 

It is easy to show consistency based on the normalization function. We just need lemmas showing that 
neutral terms cannot inhabit any type in an environment with only a type variable, by inversion on the 
neutrality derivation. 

Lemma neutral_tvar t k T : neutral t — > typing (etvar empty_env k) t T — > False. 

Consistency is then proved using case analysis on an assumed typing derivation of falsehood at any 
universe level k. Informally, it is showing that V X :* k, X is not inhabited for any k. 
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Corollary consistency k: -> 3 t , typing empty_env t (all k (tvar 0)). 

6 Related Work and Conclusion 

There are many formalizations of similar calculi, and we do not claim any originality there. However, 
to our knowledge, the multiset ordering used to show normalization is original. The point of this paper 
is more to show that the EQUATIONS plugin is ready to handle more consequent developments and 
showcase its features. Is has similar expressivity w.r.t. Agda and Idris, but derives more principles, and 
everything is compiled down to vanilla COQ terms, so it does not change the trusted code base except for 
the use of K, which we are hopeful we can get rid of by the time of the workshop. 

It would be interesting to study extensions of the language with type recursion. As shown by Leivant, 
this would allow to type terms that are not typeable in second-order lambda calculus. We will also need 
to extend the language with existentials, pairs and a minimal notion of inductive types to be able to 
handle a larger class of programs. One of the possible venues for generalization is to extend the work of 
Malecha et al [7] to reflect a larger fragment of Gallina, the language of COQ. 
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A Extracted code 

let hereditary_subst t u x = 
let rec fix_F xO = 

let h = fun y -> fix_F y in 
(fun uO xl _ -> 
let Pair (tO , tl) = xO in 
(match tl with 
I Var n -> 

(match lt_eq_lt_dec n xl with 
I Inleft s -> 

(match s with 
I Left -> Var n 
I Right -> uO) 

I Inright -> Var (pred n) ) 

I Abs (t2, refine) -> 

Abs (t2 , (h (Pair (tO , refine)) (shift 0 uO) (S xl) __)) 

I App (refinel, refine2) -> 

(match h (Pair (tO, refinel)) uO xl __ with 
I Abs (t2, x2) -> 

h (Pair (t2 , x2)) (h (Pair (tO , refine2)) uO xl __) 0 

I x2 -> App (x2 , (h (Pair (tO , refine2)) uO xl __))) 

I Tabs (k, refine) -> 

Tabs (k, (h (Pair ((tshift 0 tO) , refine)) (shift_typ 0 uO) xl __)) 
I Tapp (refine, t2) -> 

(match h (Pair (tO , refine)) uO xl __ with 
I Tabs (k , x2) -> subst_typ x2 0 t2 
I x2 -> Tapp (x2, t2)))) 
in fix_F t u x 

type normalize_comp = term 

(** val normalize : term -> normalize_ comp **) 

let rec normalize = function 
I Var n -> Var n 

I Abs (tO, tl) -> Abs (tO, (normalize tl)) 

I App (tl, t2) -> 

(match normalize tl with 

I Abs (tO, xO) -> hereditary_subst (Pair (tO , xO)) (normalize t2) 0 

I x -> App (x, (normalize t2))) 

I Tabs (k, tO) -> Tabs (k, (normalize tO)) 

I T app (tO, tl) -> 

(match normalize tO with 
I Tabs (k, x) -> subst_typ x 0 tl 
I x -> Tapp (x , tl ) ) 




